git - Debian Package Tracker

general

source: git (main)
version: 1:2.51.0-1
maintainer: Jonathan Nieder (DMD)
uploaders: Anders Kaseorg [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.30.2-1+deb11u2
o-o-sec: 1:2.30.2-1+deb11u4
oldstable: 1:2.39.5-0+deb12u2
old-sec: 1:2.39.5-0+deb12u2
stable: 1:2.47.3-0+deb13u1
testing: 1:2.51.0-1
unstable: 1:2.51.0-1
exp: 1:2.51.0+next.20250825-1

versioned links

1:2.30.2-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.30.2-1+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.39.5-0+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.47.3-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.51.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.51.0+next.20250825-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

git (284 bugs: 0, 137, 147, 0)
git-all (2 bugs: 0, 0, 2, 0)
git-cvs (8 bugs: 0, 3, 5, 0)
git-doc (7 bugs: 0, 1, 6, 0)
git-email (18 bugs: 0, 7, 11, 0)
git-gui (21 bugs: 0, 11, 10, 0)
git-man (28 bugs: 0, 7, 21, 0)
git-svn (27 bugs: 0, 10, 17, 0)
gitk (28 bugs: 0, 9, 19, 0)
gitweb (17 bugs: 0, 7, 10, 0)

action needed

Failed to analyze the VCS repository. Please troubleshoot and fix the issue. high

vcswatch reports that there is an error with this package's VCS, or the debian/changelog file inside it. Please check the error shown below and try to fix it. You might have to update the VCS URL in the debian/control file to point to the correct repository.

remote: Forbidden fatal: unable to access 'https://repo.or.cz/r/git/debian.git/': The requested URL returned error: 403

Created: 2025-09-29 Last update: 2025-10-04 00:30

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

more than one main upstream tarballs listed.

Created: 2021-08-24 Last update: 2025-10-03 23:00

4 security issues in bullseye high

There are 4 open security issues in bullseye.

3 important issues:

CVE-2025-27613: Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-46835: Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-48384: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

1 ignored issue:

CVE-2024-32020: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Created: 2025-07-08 Last update: 2025-09-06 12:03

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2024-32020: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Created: 2024-05-15 Last update: 2024-06-26 14:02

26 bugs tagged patch in the BTS normal

The BTS contains patches fixing 26 bugs (34 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2025-10-04 04:00

Depends on packages which need a new maintainer normal

The packages that git depends on which need a new maintainer are:

cvsps (#501257)
- Depends: cvsps
- Build-Depends: cvsps
docbook-xsl (#802370)
- Build-Depends-Indep: docbook-xsl

Created: 2019-11-22 Last update: 2025-10-04 02:34

lintian reports 63 warnings normal

Lintian reports 63 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-07-31 Last update: 2025-09-10 06:03

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:

CVE-2025-27613: (needs triaging) Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-46835: (needs triaging) Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-48384: (needs triaging) Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
CVE-2025-48385: (needs triaging) Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-07-08 Last update: 2025-09-06 12:03

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2019-07-08 Last update: 2025-08-27 05:03

news

[rss feed]

[2025-09-06] git 1:2.51.0-1 MIGRATED to testing (Debian testing watch)
[2025-08-26] Accepted git 1:2.51.0+next.20250825-1 (source) into experimental (Jonathan Nieder)
[2025-08-26] Accepted git 1:2.51.0-1 (source) into unstable (Jonathan Nieder)
[2025-08-22] Accepted git 1:2.47.3-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2025-08-13] git 1:2.50.1-0.1 MIGRATED to testing (Debian testing watch)
[2025-07-30] Accepted git 1:2.50.1-0.1 (source) into unstable (Adrian Bunk)
[2025-06-24] git 1:2.47.2-0.2 MIGRATED to testing (Debian testing watch)
[2025-06-22] Accepted git 1:2.47.2-0.2 (source) into testing-proposed-updates (Sebastian Andrzej Siewior)
[2025-06-17] Accepted git 1:2.50.0+next.20250615-1 (source) into experimental (Jonathan Nieder)
[2025-06-17] Accepted git 1:2.50.0-1 (source) into unstable (Jonathan Nieder)
[2025-06-17] Accepted git 1:2.49.0-3 (source) into unstable (Jonathan Nieder)
[2025-05-29] Accepted git 1:2.50.0~rc0+next.20250528-1 (source) into experimental (Jonathan Nieder)
[2025-05-29] Accepted git 1:2.49.0-2 (source) into unstable (Jonathan Nieder)
[2025-03-16] Accepted git 1:2.49.0+next.20250314-1 (source) into experimental (Jonathan Nieder)
[2025-03-15] Accepted git 1:2.49.0-1 (source) into unstable (Jonathan Nieder)
[2025-01-29] git 1:2.47.2-0.1 MIGRATED to testing (Debian testing watch)
[2025-01-28] Accepted git 1:2.30.2-1+deb11u4 (source) into oldstable-security (Sean Whitton)
[2025-01-27] Accepted git 1:2.39.5-0+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-01-26] Accepted git 1:2.39.5-0+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-01-21] Accepted git 1:2.47.2-0.1 (source) into unstable (Salvatore Bonaccorso)
[2025-01-02] Accepted git 1:2.48.0~rc1+next.20250101-1 (source) into experimental (Jonathan Nieder)
[2025-01-02] Accepted git 1:2.47.1-1 (source) into unstable (Jonathan Nieder)
[2024-12-22] Accepted git 1:2.45.2-1.3 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2024-11-08] Accepted git 1:2.45.2-1.2 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2024-10-23] Accepted git 1:2.45.2-1.1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2024-09-15] Accepted git 1:2.39.5-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Jonathan Nieder)
[2024-09-13] Accepted git 1:2.39.5-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Jonathan Nieder)
[2024-09-03] Accepted git 1:2.30.2-1+deb11u3 (source) into oldstable-security (Sean Whitton)
[2024-08-25] git 1:2.45.2-1 MIGRATED to testing (Debian testing watch)
[2024-06-26] Accepted git 1:2.20.1-2+deb10u9 (source) into oldoldstable (Sean Whitton)

bugs [bug history graph]

all: 446 462
RC: 0
I&N: 203 204
M&W: 243 258
F&P: 0
patch: 26 34

links

homepage
lintian (0, 63)
buildd: logs, exp, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 94)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:2.51.0-1ubuntu1
90 bugs (2 patches)
patches for 1:2.51.0-1ubuntu1